The Value of Physical Memory for Incident Response



Similar documents
Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation

Detecting Malware With Memory Forensics. Hal Pomeranz SANS Institute

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.1/11

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Oracle Database Vault: Design Failures

Ethical Hacking and Information Security. Foundation of Information Security. Detailed Module. Duration. Lecture with Hands On Session: 90 Hours

RMAR Technologies Pvt. Ltd.

CYBERTRON NETWORK SOLUTIONS

Getting Ahead of Malware

CRYPTUS DIPLOMA IN IT SECURITY

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

5 Steps to Advanced Threat Protection

Physical Memory Standard Operating Procedures

FORBIDDEN - Ethical Hacking Workshop Duration

Redline Users Guide. Version 1.12

Windows Operating Systems. Basic Security

CSSIA CompTIA Security+ Domain. Network Security. Network Security. Network Security. Network Security. Network Security

The Key to Secure Online Financial Transactions

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

Operation Liberpy : Keyloggers and information theft in Latin America

Build Your Own Security Lab

Loophole+ with Ethical Hacking and Penetration Testing

Network Incident Report

Spyware Analysis. Security Event - April 28, 2004 Page 1

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks

Online Payments Threats

Keystroke Encryption Technology Explained

Threat Events: Software Attacks (cont.)

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Storm Worm & Botnet Analysis

INFORMATION SECURITY TRAINING CATALOG (2015)

Welcome To The L.R.F.H.S. Computer Group Wednesday 27 th November 2013

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Practical Threat Intelligence. with Bromium LAVA

CHAD TILBURY.

Information Technology Audit & Forensic Techniques. CMA Amit Kumar

Enterprise Incident Response: Network Intrusion Case Studies and Countermeasures

Host/Platform Security. Module 11

Driving Company Security is Challenging. Centralized Management Makes it Simple.

by New Media Solutions 37 Walnut Street Wellesley, MA p f Avitage IT Infrastructure Security Document

Memory Forensics: Collecting & Analyzing Malware Artifacts from RAM

Persistence Mechanisms as Indicators of Compromise

That Point of Sale is a PoS

Spyware. Summary. Overview of Spyware. Who Is Spying?

Mobile Device Management:

Top Ten Cyber Threats

egambit Forensic egambit, your defensive cyber-weapon system. You have the players. We have the game.

BYOD AND NEXT- GENERATION MOBILE SECURITY

By:XÇzA A TÅÅtÜ ]A `t{åééw

MOTOROLA MESSAGING SERVER SERVER AND MOTOROLA MYMAIL DESKTOP PLUS MODULE OVERVIEW. Security Policy REV 1.3, 10/2002

Penetration Testing Report Client: Business Solutions June 15 th 2015

Application Whitelisting - Extend your Security Arsenal? Mike Baldi Cyber Security Architect Honeywell Process Solutions

CSE331: Introduction to Networks and Security. Lecture 32 Fall 2004

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Host-based Intrusion Prevention System (HIPS)

Spyware Doctor Enterprise Technical Data Sheet

Alert (TA14-212A) Backoff Point-of-Sale Malware

Evolving Threat Landscape

GRC & Cyber Security Conference - Bringing the Silos Together ISACA Ireland 3 Oct 2014 Fahad Ehsan

When you listen to the news, you hear about many different forms of computer infection(s). The most common are:

This report is a detailed analysis of the dropper and the payload of the HIMAN malware.

DoD Cyber Crime Center

Securing Secure Browsers

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Smartphone Security. A Holistic view of Layered Defenses. David M. Wheeler, CISSP, CSSLP, GSLC. (C) 2012 SecureComm, Inc. All Rights Reserved

Memory Forensics & Security Analytics: Detecting Unknown Malware

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

FORENSIC ANALYSIS Aleš Padrta

Detecting Unknown Malware: Security Analytics & Memory Forensics. Fahad Ehsan. Cyber Security #RSAC

FBLA Cyber Security aligned with Common Core FBLA: Cyber Security RST RST RST RST WHST WHST

Keylogging Identity The Defense System TM. Whitepaper. Legal Club of America 7771 W. Oakland Park Blvd. #217 Sunrise, Florida

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Keyword: Cloud computing, service model, deployment model, network layer security.

CS 356 Lecture 9 Malicious Code. Spring 2013

Kautilya: Teensy beyond shells

Penetration Test Methodology on Information-Security Product Utilizing the Virtualization Technology

Network Threats and Vulnerabilities. Ed Crowley

Windows Rootkit Overview

Breach Found. Did It Hurt?

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

Uroburos Highly complex espionage software with Russian roots

WiFi Security Assessments

Visa Data Security Alert Malicious Software and Internet Protocol Addresses

Protecting Yourself from Identity Theft

Digital Forensic analysis of malware infected machine Case study ***

Reverse Engineering and Computer Security

Melde- und Analysestelle Informationssicherung MELANI Torpig/Mebroot Reverse Code Engineering (RCE)

Spy Eye and Carberp the new banker trojans offensive

Integrated Protection for Systems. João Batista Territory Manager

RSA Security Anatomy of an Attack Lessons learned

Information Security Services

LASTLINE WHITEPAPER. In-Depth Analysis of Malware

Mitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security

Web App Security Audit Services

ESET CYBER SECURITY PRO for Mac Quick Start Guide. Click here to download the most recent version of this document

Transcription:

The Value of Physical Memory for Incident Response MCSI 3604 Fair Oaks Blvd Suite 250 Sacramento, CA 95864 www.mcsi.mantech.com 2003-2015 ManTech Cyber Solutions International, All Rights Reserved.

Physical memory refers to the random access memory (RAM) of the computer. RAM can be added or removed from a computer by adding or removing memory chips. Windows computers typically have anywhere from 256 Megabytes of RAM to over 2 Gigabytes. RAM is volatile memory that is lost when a computer is powered down. While the computer operates, RAM stores all the accumulated data for running applications and network communications. The RAM will contain the contents of application windows, keystrokes, and even email attachments. There is a wealth of information in RAM that exists only when applications are running. Most of this information cannot easily be obtained from a hard drive. Information that can be obtained from RAM includes: All running processes at the time of the memory snapshot All loaded modules and DLL s (dynamic link libraries) including injected malware All running device drivers, including potential rootkits All open files for each process, including path to file on disk All open registry keys for each process All open network sockets for each process, including IP address and port information that is calculated at runtime, such as packet buffers Decrypted versions of otherwise encrypted data Contents of windows Keystrokes Email attachments, file transfers, and other secondary data Cryptographic key material Hard drive encryption keys WEP and WPA wireless keys Usernames and passwords For many years, forensic analysts have known that physical memory is valuable. Tools have been developed to forensically image the contents of RAM, similar to the way a hard drive image is taken. But until very recently, nobody has built tools to analyze the contents of these physical memory images. RAM analysis is hard you have to parse undocumented and esoteric data structures which are unique to each operating system version. Every computer program and activity that is represented in the RAM can only be recovered through many layers of analysis. In the past, this had to be done by hand and thus was error prone and did not scale. Challenges to physical memory analysis include: Identification of the operating system, version, and service pack Use of undocumented internal data structures to the operating system Internal data structures may change between versions and service packs of the OS White Paper: The Value of Physical Memory for Incident Response Page 2 of 7

Physical memory Pages must be sorted and organized to rebuild the memory of the operating system Many sections of memory are paged out and this must be accounted for To extract an EXE or DLL file from memory it must be reconstructed and fixed up to return it to the portable executable (PE) format Traditional MD5/SHA1 filesystem hashing does not work for in memory files, the hashes will not match These reasons and more are why nobody has built a tool to perform analysis. Not only does a tool need to perform complicated and layered analysis, to be deployable as a product it must be able to analyze all the different versions and service packs of an operating system. This is made more difficult when dealing with closed source operating systems such as Microsoft Windows that are patched on a regular basis. Physical memory forensics can be used for a variety of purposes: Augment disk based forensics Detect which files each process had open at the time of seizure Detect if sensitive or proprietary data was being stolen Detect back door programs, spyware and keyloggers Detect advanced attacks, such as in memory only backdoors 1 Obtain unpacked/decrypted versions of programs that are packed/encrypted ondisk Detect hidden processes and drivers, such as rootkits Detect recently used email and web addresses Detect recently edited files Rootkits and other malware pose a serious threat to the Enterprise. Physical memory forensics offers a unique and powerful way to detect and analyze these threats. A rootkit may hide itself by patching the kernel or hooking functions on a running system, but a physical memory snapshot is analyzed offline and thus is not subject to these bypasses. The simple fact is that for code to execute it must exist in RAM, thus it can be found. Automated scans can detect many suspicious behaviors in running software, including potential rootkits. Combinations of factors can be used to narrow the search. For example, if a keyboard driver is accessing the filesystem, this may indicate a keylogger (see Table 1). Although not guaranteed to be malicious, the behavior is suspicious. 1 Metasploit Meterpreter, etc. White Paper: The Value of Physical Memory for Incident Response Page 3 of 7

Table 1 Two suspicious properties found on the "" device driver 2 ZwCreateFile ZwWriteFile ZwCreateFile Import This keyboard driver is accessing the filesystem, check for a keylogger ZwWriteFile Import This keyboard driver is accessing the filesystem, check for a keylogger Multiple factors can contribute to understanding whether software has malicious properties. These can include: Suspicious strings (see table 2) Use of suspicious libraries or functions, such as network or filesystem The combined use of several suspicious functions together Accessing user mode programs from kernel mode Use of protocols such as IRC, SMTP, or POP3 Use of encryption Network capabilities combined with backdoor commands Enumeration of files Use of registry keys to survive reboot Table 2 List of suspicious strings with analyst notes ( rootkit variant) Key logger thread Suspicious string terminated Driver: %s Suspicious string Keyboard hook detached from device... \Device\KeyboardClass0 Keyboard hook detached from device... Successfully created log file... \DosDevices\c:\.txt Scan code '%s' successfully written to file. Suspicious string This is definitely used by rootkits. Searching google revealed that a rootkit called "GMER" may also use this. Looks like it can detach also. Maybe it can be unloaded. Check for log file on system. This looks like a secret log file. Likely keystrokes. Suspicious string 2 MCSI Responder PRO, www.mcsi.mantech.com/responder White Paper: The Value of Physical Memory for Incident Response Page 4 of 7

hiding driver The driver looks like it can hide itself. It might not be detected by system tools. To address new and unknown threats, the human analyst must be involved. Although any factor can be suspicious on its own, the combination of several different factors working together can significantly boost the confidence that something malicious has been found. The human analyst can determine the relative importance of each finding and relate them together. In table 2 we see a list of suspicious strings and the notes made by an analyst. The target is a driver calling itself which turns out to be related to a keylogging rootkit. The terms scan code, hiding driver, and Key logger give away what this rootkit is doing. Table 3 Graph of all IRC commands in a rootkit 3 /Victim=[ vic online: /Ip= ] /Trojan Port=[ is Online IP ADDRESS= From: Subject: Vic: is online from Port: &Name= o vq0 zmd)l`q'dgo 3 Graph generated using MCSI Responder PRO Edition (www.mcsi.mantech.com/responder) White Paper: The Value of Physical Memory for Incident Response Page 5 of 7

%0A data_004b02e8 data_004b01e8 45000 PRIVMSG # Vic: IP ADDRESS= Server Port= is Online Please Open your Client to Chat First! NOT DONE Has logged OUT! Has logged IN! Client Opened to chat! Client Closed to chat! The relationships between suspicious strings can be reinforced further by following control flow and cross references, as shown in table 3. When viewed separately, the strings appear to be related, but when graphed we can see for certain they are related. See the graph below. To obtain these cross references requires the ability to extract EXE s and DLL s from the physical memory and then requires a subsequent disassembly step to obtain code and data cross references. Using graphs to explore string relationships is powerful and easy to grasp for people who have no prior reverse engineering experience. Graph based analysis is relatively new to the industry and is significantly less complex than traditional reverse engineering. White Paper: The Value of Physical Memory for Incident Response Page 6 of 7

Until recently, analysts who wanted these capabilities had to cobble together a variety of separate tools that only provide partial functionality. Because of the lack of commercially supported products, physical memory forensics has been slow to mature. Most research has resulted in free tools that are limited to specific operating system versions, have command line only interfaces, and have minimal parsing and extraction capabilities. White Paper: The Value of Physical Memory for Incident Response Page 7 of 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information